New online security measures: What if you don’t have a smartphone?

The rules stating how banks and online payment providers verify
customers are changing. From September 2019, people shopping or banking online may
face new checks in order to prevent fraud.

Smartphones should generally make meeting these requirements quite straightforward, but questions have been raised about the possible impact on customers who don’t have a smartphone, or find using them difficult.

This Insight looks at why is this change happening and what’s being done to protect those who don’t have smartphones.

The Payment Services Directive

The changes come from the European Union’s Payment Services Directive, which requires the introduction of ‘strong customer authentication’ (SCA). This is part of a European-wide response to the growth in online banking scams and fraud. This is a major problem in the UK: £1.2 billion was stolen through fraud and scams in 2018.

The strong customer authentication rules will require customers to provide two different types of information, from three categories, in order to make certain electronic transactions:

Knowledge: something only the user knows, such as a password or PIN.

Possession: something only the user possesses, such as a card checked by a card reader.

Inherence: something unique about the user, such as their fingerprint or voice.

The changes mean that in order to make an online transaction, a customer
might have to use a pin (knowledge) and a receive a text to a mobile phone
(possession). Or they might be required to provide a password (knowledge) and
scan a fingerprint (inherence).

Will I need a smartphone to continue online shopping and banking?

Many smartphones contain technology, such as fingerprint scanners, which
could make meeting the new verification rules very simple. Smartphones could
therefore play an increasingly important role in online transactions.

However, there are concerns about the impact on those who either do not have a smartphone, can’t use one, or do not have a reliable phone signal. An article published by the Consumers’ Association website, Which? indicated that some people would face problems when the rules are due to come into force in September.

Partly to give firms more time to address these concerns, the Financial
Conduct Authority (FCA) has agreed a plan to phase in the changes to 14 March
2020 for online banking and to March 2021 for online shopping.

The FCA has stated that it expects all firms “to mitigate the potential negative impact of SCA on different groups of customers, in particular those with protected characteristics.” It has made it clear that consumers without a smartphone must be given an alternative means of authenticating themselves. It said:

“We have
been made aware of instances where consumers have been told by their bank that,
for example, they will not be able to shop online or access their account
without a smart phone. This is not acceptable.”

Alternative means of identification could include customers having codes sent to landline numbers or email accounts, or through the use of card readers.

What can I do if I can’t access online banking or shopping?

If a customer can’t access banking or shopping services because they can’t verify their identity via a smartphone, they should firstly make a complaint to the company. If the issue is not resolved, they could make a complaint to the Financial Ombudsman Service.

The aim of the Ombudsman is to ensure that customers are treated fairly, and it can investigate complaints and award money and compensation. When deciding whether someone has been treated fairly, the Ombudsman service considers the relevant law, regulators’ rules and guidance, industry codes of practice and what it considers to be good industry practice. Advice about this process is available from the Ombudsman helpline.